Slow HTTP POST attack- Q150085

During the vulnerability test, I came across the slow HTTP POST - DoS attack warning. Based on the suggested procedures, I made config changes in my web server Win2008 R2- IIS 7.5 (snapshots attached). But I still keep getting the same warning of

Vulnerable to slow HTTP POST attack Connection with partial POST body remained open for: 128712 milliseconds even though my connection time out is set to 30 sec only.

WAS opens a connection and sends a partial HTTP POST request. Partial in this context means that Content-Length header would specify X, but we send only several bytes, thus making server to wait for the rest of the data. If server waits for that data for at least 120 seconds without dropping the connection, we assume this is a potential flaw in the server configuration and by sending a lot of such requests, we can potentially fill up server connection pool. Because with passive testing it is impossible to tell for sure that server IS vulnerable. WAS can only assume it based on collected server behavior.

Other settings to tweak, as it appears you already have looked at are:

Limit request attributes is through the <RequestLimits> element, specifically the maxAllowedContentLength, maxQueryString, and maxUrl attributes.

Set <headerLimits> to configure the type and size of header your web server will accept.

Tune the connectionTimeout, headerWaitTimeout, and minBytesPerSecond attributes of the <limits> and <WebLimits> elements to minimize the impact of slow HTTP attacks.

WAS opens a connection and sends a partial HTTP POST request. Partial in this context means that Content-Length header would specify X, but we send only several bytes, thus making server to wait for the rest of the data. If server waits for that data for at least 120 seconds without dropping the connection, we assume this is a potential flaw in the server configuration and by sending a lot of such requests, we can potentially fill up server connection pool. Because with passive testing it is impossible to tell for sure that server IS vulnerable. WAS can only assume it based on collected server behavior.

Other settings to tweak, as it appears you already have looked at are:

Limit request attributes is through the <RequestLimits> element, specifically the maxAllowedContentLength, maxQueryString, and maxUrl attributes.

Set <headerLimits> to configure the type and size of header your web server will accept.

Tune the connectionTimeout, headerWaitTimeout, and minBytesPerSecond attributes of the <limits> and <WebLimits> elements to minimize the impact of slow HTTP attacks.